Note: This is an archival copy of Security Sun Alert 200156 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com
as Sun Alert 1000113.1.

Local users may be able to gain unauthorized root access, due to a buffer overflow in the XView library.

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

Solaris 2.4

Solaris 2.5

Solaris 2.5.1

Solaris 2.6 without patch 106331-05

Solaris 7 without patch 107374-02

Solaris 8 without patch 111626-01

x86 Platform

Solaris 2.4

Solaris 2.5

Solaris 2.5.1

Solaris 6 without patch 106353-05

Solaris 7 without patch 107375-02

Solaris 8 without patch 111627-01

Notes:

Only systems with XView applications that have the "set user ID bit" (suid) or the "set group ID bit" (sgid) set are at risk.

To check if an application has the "set user ID bit" or the "set group ID bit" set use the "ls -l" command. In the output an "s" in the user or group permissions will indicate a "set user ID bit" or "set group ID bit" respectively:

% ls -l testapp
-r-sr-sr-x 5 root

To check if an application is an XView application, use the "ldd" command. In the output a line listing "libxview.so" indicates that the application uses the XView library and is an XView application.

The find and xargs command can also be used to look for XView applications that are set user or set group id. For example, to check the /usr/openwin directory for such applications, use the command:

In the output a line listing "libxview.so" indicates that the application uses the XView library and is an XView application.

The issue described in this document can only be exploited by users already having an account on the affected system.

Symptoms

There are no symptoms that would show the described issue has already been exploited to gain unauthorized root access to a system.

Workaround

As a possible workaround the set user or set group bit of all affected XView applications might be removed using the "chmod" command. Removing the set user or set group bit of an application might keep it from functioning as expected.

The following application that is supplied with Solaris is potentially affected by the described issue:

/usr/openwin/bin/mailtool

Resolution

SPARC Platform

Solaris 6 with patch 106331-05 or later

Solaris 7 with patch 107374-02 or later

Solaris 8 with patch 111626-01 or later

x86 Platform

Solaris 6 with patch 106353-05 or later

Solaris 7 with patch 107375-02 or later

Solaris 8 with patch 111627-01 or later

Note: Solaris 2.4, 2.5, 2.5.1 will require an upgrade to a later release.